[messaging] Key rotation

carlo von lynX lynX at i.know.you.are.psyced.org
Tue Jan 6 02:01:49 PST 2015

> On Tue, Jan 06, 2015 at 10:04:41AM +0100, carlo von lynX wrote:
> > I think the assumption of this being important to users may be incorrect,
> > we should investigate this better. Most cases when people email strangers
> > are actually situations when people would have added a person from the
> > social graph of their existing contacts, had they had such a social graph
> > at disposition. Just look at Facebook behavior patterns. The other common 
> > situation for mailing strangers is when you are contacting a company or an 
> > authority - in those cases a QR code printed on a brochure would do the job.
> > So I don't see a use case for a complete bootstrap out of pitch darkness.

On Tue, Jan 06, 2015 at 01:38:43AM -0800, Andy Isaacson wrote:
> I am currently visiting a city where I know nobody, and there is an open
> source project headquartered here that is relevant to my professional
> interests, but that I have no 1-degree or 2-degree (that I know of)
> social contacts with.
> I'm going to email them with pointers to my relevant publicly disclosed
> work, and this is a use case which it would be nice to build
> communication systems to support.

You've been knowing that project for a while. You've been visiting their
website and you have obtained a cryptographic identification for that
website and the project related to it. What we need is not a way that
allows anyone to get spammed by anyone, but merely support for the use
case that you would like to get in touch with this open source project.

What I say is, the separation between "the web" and "the mail system" at
this point is counterproductive. Facebook's fan pages make usability-wise
much more sense: Your social graph confirms to you that you are indeed on 
the website of that project (you don't need to know beforehand who of the
hundreds of people in your social network know people in this project in
person, but there will be some), and the messaging function on that website 
allows you as an individual to get in touch with whoever currently runs 
that project.

No reason to also allow fraudulent companies to spam individuals as
the current mail system allows. What we want is that it is always the
individual that initiates the communication with a company, collective,
project, government, whatever. There are several ways to make that possible.
I like using the personal glimpse of the distributed social graph, because 
it does not require external authorities. But certification authorities or
QR codes on brochures can do that part of the deal, too, or any combination
of these methods.

> The lack of support for this use case is, IMO, one of the major blocking
> points for Pond as an email replacement.  (Pond currently doesn't even
> support the simpler use case of "Hi Alice, let me introduce Bob, you two
> should talk", but at least there is a proposal on the table for
> supporting introductions in Pond.)

Yes, Pond is not a distributed social network, and so it cannot grow
exponentially by friend adoption. Shared secrets are a too bureaucratic
bootstrap method, even though PANDA is a pretty cool hack. Kudos to ioerror.


More information about the Messaging mailing list